An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing).
{ "priority_reason": "Only allows enumeration of user emails via brute-force approach.", "availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro", "binaries": [ { "binary_name": "python-django", "binary_version": "1:1.11.11-1ubuntu1.21+esm7" }, { "binary_name": "python-django-common", "binary_version": "1:1.11.11-1ubuntu1.21+esm7" }, { "binary_name": "python-django-doc", "binary_version": "1:1.11.11-1ubuntu1.21+esm7" }, { "binary_name": "python3-django", "binary_version": "1:1.11.11-1ubuntu1.21+esm7" } ], "ubuntu_priority": "low" }
{ "priority_reason": "Only allows enumeration of user emails via brute-force approach.", "availability": "No subscription required", "binaries": [ { "binary_name": "python-django-doc", "binary_version": "2:2.2.12-1ubuntu0.25" }, { "binary_name": "python3-django", "binary_version": "2:2.2.12-1ubuntu0.25" } ], "ubuntu_priority": "low" }
{ "priority_reason": "Only allows enumeration of user emails via brute-force approach.", "availability": "No subscription required", "binaries": [ { "binary_name": "python-django-doc", "binary_version": "2:3.2.12-2ubuntu1.14" }, { "binary_name": "python3-django", "binary_version": "2:3.2.12-2ubuntu1.14" } ], "ubuntu_priority": "low" }
{ "priority_reason": "Only allows enumeration of user emails via brute-force approach.", "availability": "No subscription required", "binaries": [ { "binary_name": "python-django-doc", "binary_version": "3:4.2.15-1ubuntu1" }, { "binary_name": "python3-django", "binary_version": "3:4.2.15-1ubuntu1" } ], "ubuntu_priority": "low" }
{ "priority_reason": "Only allows enumeration of user emails via brute-force approach.", "availability": "No subscription required", "binaries": [ { "binary_name": "python-django-doc", "binary_version": "3:4.2.11-1ubuntu1.3" }, { "binary_name": "python3-django", "binary_version": "3:4.2.11-1ubuntu1.3" } ], "ubuntu_priority": "low" }
{ "priority_reason": "Only allows enumeration of user emails via brute-force approach.", "availability": "No subscription required", "binaries": [ { "binary_name": "python-django-doc", "binary_version": "3:4.2.15-1ubuntu1" }, { "binary_name": "python3-django", "binary_version": "3:4.2.15-1ubuntu1" } ], "ubuntu_priority": "low" }